Windows registry harnesser for incident response and digital forensic analysis

What is it about?

The extraction of digital evidence from storage media is a growing concern in digital forensics, due to the time and space complexity in acquiring, preserving and analysing digital evidence. Microsoft Windows Registry is an example of a potential source of digital evidence that contains a database of evidential information about both the system and users. However, due to the vastness of the Registry, it is difficult to manually sift through this database to extract potential evidence. Furthermore, manually sifting provides room for human error, which could invalidate the entire forensic investigation. This time-consuming and error-prone process can cause several delays in processing and presenting criminal cases during litigation. The need for an automated extraction and analysis process of digital evidence is therefore inherently needed. The aim of this research is to develop an automated forensically sound process for Windows Registry investigation. This entails setting up strict and reliable measures for an investigator to follow whilst minimizing human interaction through automation. To achieve this, an acquisition and analysis tool was developed. A comparative analysis of the developed tool to existing tools showed increased performance with respect to time and forensic soundness.

Featured Image

Photo by Markus Spiske on Unsplash

Photo by Markus Spiske on Unsplash

Why is it important?

Crime is always on the rise and with this, the burden of conducting digital investigations, the analysis of the Windows registry has been somewhat overlooked. The Windows registry is a large source of potential digital evidence.